Sep 28, 2014

For quite a while I was running m0n0wall on an old dell laptop with two NICs. This worked out pretty well because the laptop had a built-in screen, keyboard, and battery backup of sorts. It was also fairly portable. At some point I decided I wanted to do a bit more with my firewall and move to more powerful hardware. In particular, I wanted to try out pfSense, a m0n0wall fork. pfSense contains a package management system that allows you to install a wide variety of services including: Snort, Squid, FreeSWITCH, OpenBGPD, to name a few. I'll return to these in subsequent posts. I also needed more interfaces to be able to properly segregate my wireless network from my wired network.

I've been a big fan of the smaller form factor x86 machines for a while. Serapeum was built on a MicroATX form factor as well as my current desktop system. µATX is great for smaller desktop machines but is a bit too large for a firewall solution.

Mini-ITX seemed like the perfect option. I selected the Jetway J7F2 board with a 1.5Ghz Via C7 processor. Two compelling reasons for selecting this board were the Padlock engine, which provides hardware RNG, AES, and hashing acceleration, and support for daughter cards. Some quick OpenSSL benchmarks using the various engines provided these results:

cryptodev kilobytes per second:

type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes

aes-256-cbc 10166.19k 10492.00k 10832.45k 10520.09k 10871.68k

padlock kilobytes per second:

type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes

aes-256-cbc 69552.53k 221044.97k 475699.68k 662806.69k 745178.49k

The padlock hardware engine provides a 6850% increase in AES 256 encryption over the software based cryptodev. It peeks at about 5.7 gigabits per second. Cryptodev only achieves 85 megabits per second.